General

  • Target

    Nurik Nextgen.zip

  • Size

    18.3MB

  • Sample

    240716-tzk8ma1cnr

  • MD5

    3fc9a11e02cb42d213d905f1d8ad6fa0

  • SHA1

    209513a3c96a5afa02987a792ba23d61bcffcb75

  • SHA256

    5080fde04d9c1a84629ef9115de89032f4648865a763b759e03140c82e55ef03

  • SHA512

    0de34b6a34f4aadcddbb0bd37e337e21f3e641a70396491d430879a3192459b754a1d403417e8c5477d613afe0073440fe961d3f00e109075620895407902d86

  • SSDEEP

    393216:VbXvrdREZMNsYJFJxcTT45MczYrjpJViNyBBJNPrNf4H75o:FBREZMhd0T4dYHNHBB3PtW7a

Malware Config

Targets

    • Target

      Nurik Nextgen.zip

    • Size

      18.3MB

    • MD5

      3fc9a11e02cb42d213d905f1d8ad6fa0

    • SHA1

      209513a3c96a5afa02987a792ba23d61bcffcb75

    • SHA256

      5080fde04d9c1a84629ef9115de89032f4648865a763b759e03140c82e55ef03

    • SHA512

      0de34b6a34f4aadcddbb0bd37e337e21f3e641a70396491d430879a3192459b754a1d403417e8c5477d613afe0073440fe961d3f00e109075620895407902d86

    • SSDEEP

      393216:VbXvrdREZMNsYJFJxcTT45MczYrjpJViNyBBJNPrNf4H75o:FBREZMhd0T4dYHNHBB3PtW7a

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks